Export thread
Chinese military spy chips reportedly found in server motherboards used by Apple, Amazon, etc
#1
GasBandit
GasBandit
https://www.cnbc.com/2018/10/04/chi...denies-the-bloomberg-businessweek-report.html
http://fortune.com/2018/10/04/china-military-spy-chips-supermicro/
https://techcrunch.com/2018/10/04/china-spy-hack-chip-bloomberg-supply-chain/
Apple, Amazon, Supermicro, and the Chinese government are all denying.
https://thenextweb.com/apple/2018/10/04/apple-amazon-chinese-spy-chips/
Given that the original source of the report is bloomberg, it could very well be that this is fake... buuuut... plausible.
http://fortune.com/2018/10/04/china-military-spy-chips-supermicro/
https://techcrunch.com/2018/10/04/china-spy-hack-chip-bloomberg-supply-chain/
Apple, Amazon, Supermicro, and the Chinese government are all denying.
https://thenextweb.com/apple/2018/10/04/apple-amazon-chinese-spy-chips/
Given that the original source of the report is bloomberg, it could very well be that this is fake... buuuut... plausible.
#2
PatrThom
PatrThom
It's not impossible, but of course without actual evidence it's harder to make the assertion.
There are some who are wondering if this hasn't been conflated with cases of Supermicro boards coming with malware-infested firmware installed, rather than actual embedded spy hardware.
I've been waiting for someone to start the "How can we trust boards manufactured by our enemies?" train rolling, maybe this will be it.
...assuming this isn't just propaganda to get everyone all riled up over Chinese manufacturing, that is.
You know who's really going to suffer for this? Supermicro.
--Patrick
There are some who are wondering if this hasn't been conflated with cases of Supermicro boards coming with malware-infested firmware installed, rather than actual embedded spy hardware.
I've been waiting for someone to start the "How can we trust boards manufactured by our enemies?" train rolling, maybe this will be it.
...assuming this isn't just propaganda to get everyone all riled up over Chinese manufacturing, that is.
You know who's really going to suffer for this? Supermicro.
--Patrick
#3
Gared
Gared
This isn't another smokescreen to cover up the announcement that there's yet another un-announced capability in Intel's Management Engine Enabled chips which can allow outside access to your CPU, is it? Because I haven't seen anything in mainstream media yet about "manufacturing mode," but it's starting to leak out that Apple shipped at least some of their laptops with MM enabled, and concerns that there's no way to disable it once the device makes it to the end-user.
#4
GasBandit
GasBandit
Their stock is already down 35%.You know who's really going to suffer for this? Supermicro.
--Patrick
#5
PatrThom
--Patrick
PatrThom
No, the assertion is that actual spy ICs were substituted/added/embedded on boards during the actual manufacturing process, not after they left the factory (which suggests state-level involvement).This isn't another smokescreen to cover up the announcement that there's yet another un-announced capability in Intel's Management Engine Enabled chips which can allow outside access to your CPU, is it?
Huh, didn't even know about this. Looks like it was one of the things patched in 10.13.5, though (released June 2018).it's starting to leak out that Apple shipped at least some of their laptops with MM enabled, and concerns that there's no way to disable it once the device makes it to the end-user.
--Patrick
#6
Gared
Gared
I know, I read Bloomberg fear piece - I was more talking about how whenever either Meltdown or Spectre was announced, immediately someone else struck back with "but what about these 6 vulnerabilities in AMD chips?"No, the assertion is that actual spy ICs were substituted/added/embedded on boards during the actual manufacturing process, not after they left the factory (which suggests state-level involvement).
--Patrick
#7
PatrThom
PatrThom
...five of which require admin access to implement. Yeah, I remember.
--Patrick
--Patrick
#8
PatrThom
PatrThom
Bloomberg: Unnamed US Telecom company also victim of hacked Supermicro motherboards
Bloomberg: “We can’t name which one it is and we’re the only ones talking about this but trust us, it’s real.”
...did someone at Bloomberg short Supermicro stock hard, or what?
—Patrick
(Quote source)Bloomberg didn't name the company, citing a non-disclosure agreement between the unnamed telecom and the security firm it hired to scan its data centers. AT&T, Sprint and T-Mobile all told Ars they weren't the telecom mentioned in the Bloomberg post. Verizon and CenturyLink also denied finding backdoored Supermicro hardware in their datacenter
Bloomberg: “We can’t name which one it is and we’re the only ones talking about this but trust us, it’s real.”
...did someone at Bloomberg short Supermicro stock hard, or what?
—Patrick
#9
Gared
Gared
There aren't enough Picard facepalm jpgs out there to describe this.
#10
PatrThom
PatrThom
Some of the Internet's heaviest hitters have gone on record:
Amazon, Apple call for retraction of Bloomberg motherboard hacking story
Patrick Kennedy (of ServeTheHome.com) EXHAUSTIVELY demonstrates how implausible their claims are
Mike Masnick (of TechDirt.com) adds his two cents to Patrick's "detailed and thorough debunking" of the story
At this point, it's more likely the headline should read "Servers at Bloomberg.com infiltrated, hackers planted several fake stories," sheesh.
--Patrick
Amazon, Apple call for retraction of Bloomberg motherboard hacking story
Patrick Kennedy (of ServeTheHome.com) EXHAUSTIVELY demonstrates how implausible their claims are
Mike Masnick (of TechDirt.com) adds his two cents to Patrick's "detailed and thorough debunking" of the story
At this point, it's more likely the headline should read "Servers at Bloomberg.com infiltrated, hackers planted several fake stories," sheesh.
--Patrick
#11
Gared
Gared
And this is why I remain highly sceptical whenever claims like this come out. Every time it's debunked, and (almost) every time it (seems to?) come(s) down to someone wanting to manipulate someone else' stock price.Some of the Internet's heaviest hitters have gone on record:
Amazon, Apple call for retraction of Bloomberg motherboard hacking story
Patrick Kennedy (of ServeTheHome.com) EXHAUSTIVELY demonstrates how implausible their claims are
Mike Masnick (of TechDirt.com) adds his two cents to Patrick's "detailed and thorough debunking" of the story
At this point, it's more likely the headline should read "Servers at Bloomberg.com infiltrated, hackers planted several fake stories," sheesh.
--Patrick
#12
PatrThom
PatrThom
Supermicro’s CEO, CCO, and CPO release letter (and video!) detailing the results of their 2-month long, 3rd-party validated audit. Spoiler alert! They found no evidence of tampered product, no evidence that anyone had tried to tamper with the product, and no reports from any customers comfirming the existence of any tampered product installed in the wild. Their stock value is still down 23% from what it was the day before the story broke, but that’s still better than the 41% it lost the day the article was released.
Now I guess the question is whether the SEC goes after Bloomberg for manipulation, Supermicro sues Bloomberg for damages due to defamation/libel, or...both?
—Patrick
Now I guess the question is whether the SEC goes after Bloomberg for manipulation, Supermicro sues Bloomberg for damages due to defamation/libel, or...both?
—Patrick
#13
PatrThom
PatrThom
Six months later, Bloomberg still isn't backing down on their claim(s), but neither has the tech industry in their denial.
One thing's pretty clear, though...everyone who can afford to has begun the process of moving their manufacturing plants out of China because building your stuff in China is now considered a security hazard.
...which, given our current relationship with China, makes me wonder if this might really have been the angle all along: sow this kind of FUD and cause everyone to pull out of China as a result.
--Patrick
One thing's pretty clear, though...everyone who can afford to has begun the process of moving their manufacturing plants out of China because building your stuff in China is now considered a security hazard.
...which, given our current relationship with China, makes me wonder if this might really have been the angle all along: sow this kind of FUD and cause everyone to pull out of China as a result.
--Patrick
#14
PatrThom
Update #2 - Not about the chips, but about building in China being considered a security hazard: Beginning Jan 1, 2020, all WFOEs will lose that exception and will be treated exactly the same as domestic (Chinese) companies. This means China is about to get super nosy:
I considered posting this in the Net Neutrality thread, but felt it belonged here, instead. Who needs to plant spy chips on motherboards when every means of communication is required to have a government backdoor? I mean, they're even installing government officials within private companies, fer cryin' out loud.
So whenever Barr starts making noise about how "all encryption needs backdoors," think of how that's probably going to work out for China.
--Patrick
PatrThom
Update #1: Bloomberg still isn't backing down. Security researchers have done experiments just to see if such a thing is possible (spoiler alert: It's definitely possible), but there still have been no instances of compromised motherboards found in the wild.One thing's pretty clear, though...everyone who can afford to has begun the process of moving their manufacturing plants out of China because building your stuff in China is now considered a security hazard.
Update #2 - Not about the chips, but about building in China being considered a security hazard: Beginning Jan 1, 2020, all WFOEs will lose that exception and will be treated exactly the same as domestic (Chinese) companies. This means China is about to get super nosy:
(excerpted from "China’s New Cybersecurity Program: NO Place to Hide," a China law blog by law firm Harris|Bricken)China’s Ministry of Security [will be able] to fully access the massive amounts of raw data transmitted across [all] Chinese networks and housed on servers in China. [...] It will cover every district, every ministry, every business and other institution, basically covering the whole society. It will also cover all targets that need [cybersecurity] protection, including all networks, information systems, cloud platforms, the internet of things, control systems, big data and mobile internet. [...] No information contained on any server located within China will be exempted from this full coverage program. No communication from or to China will be exempted. There will be no secrets. No VPNs. No private or encrypted messages. No anonymous online accounts. No trade secrets. No confidential data. Any and all data will be available and open to the Chinese government. [...] [all] email and data transfer will be required to use Chinese operated communication systems that are fully open to the China’s Cybersecurity Bureau. All data servers that make any use of Chinese based communications networks will also be required to be open to the Cybersecurity Bureau’s surveillance and monitoring system.
I considered posting this in the Net Neutrality thread, but felt it belonged here, instead. Who needs to plant spy chips on motherboards when every means of communication is required to have a government backdoor? I mean, they're even installing government officials within private companies, fer cryin' out loud.
So whenever Barr starts making noise about how "all encryption needs backdoors," think of how that's probably going to work out for China.
--Patrick